I would try to track which specific user(s) this is happening to and isolate the full negotiate stack. It's very likely that the error is simply correct, the user logging in doesn't have the right creds.

I mean we need the server-side log of a single failed request/response. For example, it would be useful to know whether the client is doing NTLM or Kerberos and then whether it already succeeded or failed a negotiation earlier.

Invalid token is a generic message from SSPI, so it can be one of the millions of things that could have gone wrong.